public static (string, string) GetDetailsFromADObjectId(string objectId, ActiveDirectoryClient adClient) { var displayName = ""; var upnOrSpn = ""; var objectType = "Unknown"; if (adClient == null || string.IsNullOrWhiteSpace(objectId)) { return(displayName, objectType); } try { var obj = adClient.GetObjectsByObjectId(new List <string> { objectId }).FirstOrDefault(); if (obj != null) { if (obj.Type.Equals("user", StringComparison.InvariantCultureIgnoreCase)) { var user = adClient.FilterUsers(new ADObjectFilterOptions { Id = objectId }).FirstOrDefault(); displayName = user.DisplayName; upnOrSpn = user.UserPrincipalName; objectType = "User"; } else if (obj.Type.Equals("serviceprincipal", StringComparison.InvariantCultureIgnoreCase)) { var odataQuery = new Rest.Azure.OData.ODataQuery <Graph.RBAC.Version1_6.Models.ServicePrincipal>(s => s.ObjectId == objectId); var servicePrincipal = adClient.FilterServicePrincipals(odataQuery).FirstOrDefault(); displayName = servicePrincipal.DisplayName; upnOrSpn = servicePrincipal.ServicePrincipalNames.FirstOrDefault(); objectType = "Service Principal"; } else if (obj.Type.Equals("group", StringComparison.InvariantCultureIgnoreCase)) { var group = adClient.FilterGroups(new ADObjectFilterOptions { Id = objectId }).FirstOrDefault(); displayName = group.DisplayName; objectType = "Group"; } } } catch { // Error occurred. Don't get the friendly name } return( displayName + (!string.IsNullOrWhiteSpace(upnOrSpn) ? (" (" + upnOrSpn + ")") : ""), objectType ); }
public static IEnumerable <PSDenyAssignment> ToPSDenyAssignments(this IEnumerable <DenyAssignment> assignments, ActiveDirectoryClient activeDirectoryClient, bool excludeAssignmentsForDeletedPrincipals = true) { var psAssignments = new List <PSDenyAssignment>(); if (assignments == null || !assignments.Any()) { return(psAssignments); } var objectIds = new List <string>(); foreach (var da in assignments) { objectIds.AddRange(da.Principals.Where(p => Guid.Parse(p.Id) != Guid.Empty).Select(p => p.Id)); objectIds.AddRange(da.ExcludePrincipals.Where(ep => Guid.Parse(ep.Id) != Guid.Empty).Select(ep => ep.Id)); } objectIds = objectIds.Distinct().ToList(); List <PSADObject> adObjects = null; try { adObjects = activeDirectoryClient.GetObjectsByObjectId(objectIds); } catch (CloudException ce) when(IsAuthorizationDeniedException(ce)) { throw new InvalidOperationException(ProjectResources.InSufficientGraphPermission); } foreach (var da in assignments) { var psda = new PSDenyAssignment() { Id = da.Id.GuidFromFullyQualifiedId(), DenyAssignmentName = da.DenyAssignmentName, Description = da.Description, Actions = new List <string>(da.Permissions.SelectMany(p => p.Actions)), NotActions = new List <string>(da.Permissions.SelectMany(p => p.NotActions)), DataActions = new List <string>(da.Permissions.SelectMany(p => p.DataActions)), NotDataActions = new List <string>(da.Permissions.SelectMany(p => p.NotDataActions)), Scope = da.Scope, DoNotApplyToChildScopes = da.DoNotApplyToChildScopes ?? false, IsSystemProtected = da.IsSystemProtected ?? false, }; psda.Principals = da.Principals.ToPSPrincipals(adObjects, excludeAssignmentsForDeletedPrincipals).ToList(); psda.ExcludePrincipals = da.ExcludePrincipals.ToPSPrincipals(adObjects, excludeAssignmentsForDeletedPrincipals).ToList(); psAssignments.Add(psda); } return(psAssignments); }
private bool ValidateObjectId(string objId) { bool isValid = false; if (!string.IsNullOrWhiteSpace(objId)) { var objectCollection = ActiveDirectoryClient.GetObjectsByObjectId(new List <string> { objId }); if (objectCollection.Any()) { isValid = true; } } return(isValid); }
private bool ValidateObjectId(string objId) { if (string.IsNullOrWhiteSpace(objId)) { return(false); } // TODO: Remove IfDef #if NETSTANDARD var objectCollection = ActiveDirectoryClient.GetObjectsByObjectId(new List <string> { objId }); #else var objectCollection = ActiveDirectoryClient.GetObjectsByObjectIdsAsync(new[] { objId }, new string[] { }).GetAwaiter().GetResult(); #endif return(objectCollection.Any()); }
private bool ValidateObjectId(string objId) { if (string.IsNullOrWhiteSpace(objId)) { return(false); } try { var objectCollection = ActiveDirectoryClient.GetObjectsByObjectId(new List <string> { objId }); return(objectCollection.Any()); } catch (Exception ex) { WriteWarning(Resources.ADGraphPermissionWarning); throw ex; } }
public static string GetDisplayNameForADObject(string objectId, ActiveDirectoryClient adClient) { string displayName = ""; string upnOrSpn = ""; if (adClient == null || string.IsNullOrWhiteSpace(objectId)) { return(displayName); } try { var obj = adClient.GetObjectsByObjectId(new List <string> { objectId }).FirstOrDefault(); if (obj != null) { if (obj.Type.Equals("user", StringComparison.InvariantCultureIgnoreCase)) { var user = adClient.FilterUsers(new ADObjectFilterOptions { Id = objectId }).FirstOrDefault(); displayName = user.DisplayName; upnOrSpn = user.UserPrincipalName; } else if (obj.Type.Equals("serviceprincipal", StringComparison.InvariantCultureIgnoreCase)) { var servicePrincipal = adClient.FilterServicePrincipals(new ADObjectFilterOptions { Id = objectId }).FirstOrDefault(); displayName = servicePrincipal.DisplayName; upnOrSpn = servicePrincipal.ServicePrincipalNames.FirstOrDefault(); } } } catch { // Error occured. Don't get the friendly name } return(displayName + (!string.IsNullOrWhiteSpace(upnOrSpn) ? (" (" + upnOrSpn + ")") : "")); }
private bool ValidateObjectId(string objId) { bool isValid = false; if (!string.IsNullOrWhiteSpace(objId)) { #if NETSTANDARD var objectCollection = ActiveDirectoryClient.GetObjectsByObjectId(new List <string> { objId }); #else var objectCollection = ActiveDirectoryClient.GetObjectsByObjectIdsAsync(new[] { objId }, new string[] { }).GetAwaiter().GetResult(); #endif if (objectCollection.Any()) { isValid = true; } } return(isValid); }
private static IEnumerable <PSRoleAssignment> ToPSRoleAssignments(this IEnumerable <RoleAssignment> assignments, List <PSRoleDefinition> roleDefinitions, AuthorizationClient policyClient, ActiveDirectoryClient activeDirectoryClient, bool excludeAssignmentsForDeletedPrincipals) { List <PSRoleAssignment> psAssignments = new List <PSRoleAssignment>(); if (assignments == null || !assignments.Any()) { return(psAssignments); } List <string> objectIds = new List <string>(); objectIds.AddRange(assignments.Select(r => r.Properties.PrincipalId.ToString())); List <PSADObject> adObjects = activeDirectoryClient.GetObjectsByObjectId(objectIds); foreach (RoleAssignment assignment in assignments) { assignment.Properties.RoleDefinitionId = assignment.Properties.RoleDefinitionId.GuidFromFullyQualifiedId(); Guid pid; PSADObject adObject; if (Guid.TryParse(assignment.Properties.PrincipalId, out pid)) { adObject = adObjects.SingleOrDefault(o => o.Id == Guid.Parse(assignment.Properties.PrincipalId)) ?? new PSADObject() { Id = Guid.Parse(assignment.Properties.PrincipalId) }; } else { adObject = adObjects.SingleOrDefault(o => o.AdfsId == assignment.Properties.PrincipalId) ?? new PSADObject() { AdfsId = assignment.Properties.PrincipalId }; } PSRoleDefinition roleDefinition = roleDefinitions.SingleOrDefault(r => r.Id == assignment.Properties.RoleDefinitionId) ?? new PSRoleDefinition() { Id = assignment.Properties.RoleDefinitionId }; if (adObject is PSADUser) { psAssignments.Add(new PSRoleAssignment() { RoleAssignmentId = assignment.Id, DisplayName = adObject.DisplayName, RoleDefinitionId = roleDefinition.Id, RoleDefinitionName = roleDefinition.Name, Scope = assignment.Properties.Scope, SignInName = ((PSADUser)adObject).UserPrincipalName, ObjectId = string.IsNullOrEmpty(adObject.AdfsId) ? adObject.Id.ToString() : adObject.AdfsId, ObjectType = adObject.Type }); } else if (adObject is PSADGroup) { psAssignments.Add(new PSRoleAssignment() { RoleAssignmentId = assignment.Id, DisplayName = adObject.DisplayName, RoleDefinitionId = roleDefinition.Id, RoleDefinitionName = roleDefinition.Name, Scope = assignment.Properties.Scope, ObjectId = string.IsNullOrEmpty(adObject.AdfsId) ? adObject.Id.ToString() : adObject.AdfsId, ObjectType = adObject.Type }); } else if (adObject is PSADServicePrincipal) { psAssignments.Add(new PSRoleAssignment() { RoleAssignmentId = assignment.Id, DisplayName = adObject.DisplayName, RoleDefinitionId = roleDefinition.Id, RoleDefinitionName = roleDefinition.Name, Scope = assignment.Properties.Scope, ObjectId = string.IsNullOrEmpty(adObject.AdfsId) ? adObject.Id.ToString() : adObject.AdfsId, ObjectType = adObject.Type }); } else if (!excludeAssignmentsForDeletedPrincipals) { psAssignments.Add(new PSRoleAssignment() { RoleAssignmentId = assignment.Id, DisplayName = adObject.DisplayName, RoleDefinitionId = roleDefinition.Id, RoleDefinitionName = roleDefinition.Name, Scope = assignment.Properties.Scope, ObjectId = string.IsNullOrEmpty(adObject.AdfsId) ? adObject.Id.ToString() : adObject.AdfsId, }); } // Ignore the assignment if principal does not exists and excludeAssignmentsForDeletedPrincipals is set to true } return(psAssignments); }
private static IEnumerable <PSRoleAssignment> ToPSRoleAssignments(this IEnumerable <RoleAssignment> assignments, IEnumerable <PSRoleDefinition> roleDefinitions, AuthorizationClient policyClient, ActiveDirectoryClient activeDirectoryClient, bool excludeAssignmentsForDeletedPrincipals) { List <PSRoleAssignment> psAssignments = new List <PSRoleAssignment>(); if (assignments == null || !assignments.Any()) { return(psAssignments); } List <string> objectIds = new List <string>(); objectIds.AddRange(assignments.Select(r => r.PrincipalId.ToString())); objectIds = objectIds.Distinct().ToList(); List <PSADObject> adObjects = null; try { adObjects = activeDirectoryClient.GetObjectsByObjectId(objectIds); } catch (CloudException ce) when(IsAuthorizationDeniedException(ce)) { throw new InvalidOperationException(ProjectResources.InSufficientGraphPermission); } foreach (RoleAssignment assignment in assignments) { assignment.RoleDefinitionId = assignment.RoleDefinitionId.GuidFromFullyQualifiedId(); PSADObject adObject = adObjects.SingleOrDefault(o => o.Id == assignment.PrincipalId) ?? new PSADObject() { Id = assignment.PrincipalId }; PSRoleDefinition roleDefinition = roleDefinitions.SingleOrDefault(r => r.Id == assignment.RoleDefinitionId) ?? new PSRoleDefinition() { Id = assignment.RoleDefinitionId }; bool delegationFlag = assignment.CanDelegate.HasValue ? (bool)assignment.CanDelegate : false; if (adObject is PSADUser) { psAssignments.Add(new PSRoleAssignment() { RoleAssignmentId = assignment.Id, DisplayName = adObject.DisplayName, RoleDefinitionId = roleDefinition.Id, RoleDefinitionName = roleDefinition.Name, Scope = assignment.Scope, SignInName = ((PSADUser)adObject).UserPrincipalName, ObjectId = adObject.Id, ObjectType = adObject.Type, CanDelegate = delegationFlag }); } else if (adObject is PSADGroup) { psAssignments.Add(new PSRoleAssignment() { RoleAssignmentId = assignment.Id, DisplayName = adObject.DisplayName, RoleDefinitionId = roleDefinition.Id, RoleDefinitionName = roleDefinition.Name, Scope = assignment.Scope, ObjectId = adObject.Id, ObjectType = adObject.Type, CanDelegate = delegationFlag }); } else if (adObject is PSADServicePrincipal) { psAssignments.Add(new PSRoleAssignment() { RoleAssignmentId = assignment.Id, DisplayName = adObject.DisplayName, RoleDefinitionId = roleDefinition.Id, RoleDefinitionName = roleDefinition.Name, Scope = assignment.Scope, ObjectId = adObject.Id, ObjectType = adObject.Type, CanDelegate = delegationFlag }); } else if (!excludeAssignmentsForDeletedPrincipals) { psAssignments.Add(new PSRoleAssignment() { RoleAssignmentId = assignment.Id, DisplayName = adObject.DisplayName, RoleDefinitionId = roleDefinition.Id, RoleDefinitionName = roleDefinition.Name, Scope = assignment.Scope, ObjectId = adObject.Id, CanDelegate = delegationFlag, ObjectType = DeletedObject }); } // Ignore the assignment if principal does not exists and excludeAssignmentsForDeletedPrincipals is set to true } return(psAssignments); }
public static string GetDisplayNameForADObject(string objectId, ActiveDirectoryClient adClient) { string displayName = ""; string upnOrSpn = ""; if (adClient == null || string.IsNullOrWhiteSpace(objectId)) { return(displayName); } try { #if NETSTANDARD var obj = adClient.GetObjectsByObjectId(new List <string> { objectId }).FirstOrDefault(); if (obj != null) { if (obj.Type.Equals("user", StringComparison.InvariantCultureIgnoreCase)) { var user = adClient.FilterUsers(new ADObjectFilterOptions { Id = objectId }).FirstOrDefault(); displayName = user.DisplayName; upnOrSpn = user.UserPrincipalName; } else if (obj.Type.Equals("serviceprincipal", StringComparison.InvariantCultureIgnoreCase)) { var servicePrincipal = adClient.FilterServicePrincipals(new ADObjectFilterOptions { Id = objectId }).FirstOrDefault(); displayName = servicePrincipal.DisplayName; upnOrSpn = servicePrincipal.ServicePrincipalNames.FirstOrDefault(); } else if (obj.Type.Equals("group", StringComparison.InvariantCultureIgnoreCase)) { var group = adClient.FilterGroups(new ADObjectFilterOptions { Id = objectId }).FirstOrDefault(); displayName = group.DisplayName; } } #else var obj = adClient.GetObjectsByObjectIdsAsync(new[] { objectId }, new string[] { }).GetAwaiter().GetResult().FirstOrDefault(); if (obj != null) { if (obj.ObjectType.Equals("user", StringComparison.InvariantCultureIgnoreCase)) { var user = adClient.Users.GetByObjectId(objectId).ExecuteAsync().GetAwaiter().GetResult(); displayName = user.DisplayName; upnOrSpn = user.UserPrincipalName; } else if (obj.ObjectType.Equals("serviceprincipal", StringComparison.InvariantCultureIgnoreCase)) { var servicePrincipal = adClient.ServicePrincipals.GetByObjectId(objectId).ExecuteAsync().GetAwaiter().GetResult(); displayName = servicePrincipal.AppDisplayName; upnOrSpn = servicePrincipal.ServicePrincipalNames.FirstOrDefault(); } else if (obj.ObjectType.Equals("group", StringComparison.InvariantCultureIgnoreCase)) { var group = adClient.Groups.GetByObjectId(objectId).ExecuteAsync().GetAwaiter().GetResult(); displayName = group.DisplayName; upnOrSpn = group.MailNickname; } } #endif } catch { // Error occured. Don't get the friendly name } return(displayName + (!string.IsNullOrWhiteSpace(upnOrSpn) ? (" (" + upnOrSpn + ")") : "")); }